When you configure DHCP Snooping in a switch, all ports become untrusted. You have to configure the trusted ports manually on the ports where the packets from the trusted DHCP server are receiving. In this topology, they are e0/0 of CORE & e0/0 of SW.
I am using IOS 15.2 & here are the basic essential commands to configure snooping..
Assuming VLANs and trunks are configured correctly;
(Here I have only VLAN 1)
CORE(config)#ip dhcp snooping
CORE(config)#ip dhcp snooping vlan 1
CORE(config)#int e0/0
CORE(config-if)#ip dhcp snooping trust
SW(config)#ip dhcp snooping
SW(config)#ip dhcp snooping vlan 1
SW(config)#no ip dhcp snooping information option
SW(config)#int e0/0
SW(config-if)#ip dhcp snooping trust
You can also rate limit the incoming DHCP requests coming from DHCP clients per second by issuing additional commands too which will help to prevent DHCP Exhaustion Attacks..
The above commands will get DHCP snooping working basically..
By default, SW will insert DHCP Option 82 into all DHCP packets it receives from the client. Also by default, CORE will drop those packets as soon as it receives them. A switch with DHCP Snooping enabled will drop packets on untrusted ports that contain Option 82 or have a non-zero giaddr (e.g. 0.0.0.0). This is what is seen in debug on CORE when SW sends a DHCPDISCOVER out port e0/0.
Remember that port e0/1 on CORE is an untrusted port for DHCP Snooping, so it drops the packets by default because Option 82 exists. That traffic never makes it to CORE.
The Option 82 helps to deliver the DHCP messages only to the client for which they are intended. It is turned on by default. The way it does it is using The Circuit ID that identifies the port to which the client is connected (the VLAN and the physical port location in a switch) & The Remote ID that identifies the access switch to which the client is connected (by the MAC address of the switch)
To overcome this problem, you can enter the following command on global configuration mode of CORE to allow option 82;
CORE(config)#ip dhcp snooping information option allow-untrusted
And also if you want to allow option 82 in your network and if the DHCP server is a Cisco device (if CORE switch is the DHCP server in this topology), you will have to enter following command on the DHCP server to identify option 82.
CORE(config)#ip dhcp relay information trust-all
Or you can do in on specific interface only by allowing the following command,
CORE(config-if)#ip dhcp relay information trusted
Or you can simply stop SW from inserting option 82 by entering the following command in global configuration mode of SW;
SW(config)#no ip dhcp snooping information option
That's what I have done in the above topology because it is the easiest solution.
If you are just connecting only a one switch to connect both the client PC and the DHCP server (in same broadcast domain) this is not an issue..
Note:-
Dropping DHCP server packets is not the only thing DHCP Snooping does.
Inspecting the DHCP client traffic on untrusted ports and verifies it with the mac address table and dropping the traffic if it is not matching is another thing DHCP Snooping does automatically..
Most of the time this can happen accidentally because of an ADSL router etc. In a case like that, you will get a complain from users that they receive a different IP range which causes a communication failure. What you must do is just issue a ipconfig /all in command prompt in Windows PC and see the DHCP server IP and then issue an arp -a to find the mac address of the DHCP server and trace to the port it is connected via the switch command prompt and shut it down..
If you have configured DHCP snooping correctly this won't be an issue..
Inspecting the DHCP client traffic on untrusted ports and verifies it with the mac address table and dropping the traffic if it is not matching is another thing DHCP Snooping does automatically..
Preventive Actions If a Rouge DHCP detected??
Most of the time this can happen accidentally because of an ADSL router etc. In a case like that, you will get a complain from users that they receive a different IP range which causes a communication failure. What you must do is just issue a ipconfig /all in command prompt in Windows PC and see the DHCP server IP and then issue an arp -a to find the mac address of the DHCP server and trace to the port it is connected via the switch command prompt and shut it down..
If you have configured DHCP snooping correctly this won't be an issue..
I am in fact thankful to the owner of this web page who has shared this great post at at this time.
ReplyDeleteHi! I could have sworn I've been to this web site before but after browsing through many
ReplyDeleteof the articles I realized it's new to me. Anyways, I'm certainly happy I stumbled upon it and I'll be bookmarking
it and checking back often!